Agent-based network scanning in software-defined networking (SDN) environments

ABSTRACT

Example methods are provided for a network scanning controller to perform agent-based network scanning in a software-defined networking (SDN) environment. In one example, the method may comprise identifying multiple networks for which network scanning is required, performing a first network scan using a first agent to obtain first address mapping information associated with multiple first workloads, and performing a second network scan using a second agent to obtain second address mapping information associated with multiple second workloads. The first agent and the multiple first workloads may be located in a first network, and the second agent and the multiple second workloads in a second network. The method may also comprise generating aggregated address information based on the first address mapping information and the second address mapping information.

RELATED APPLICATIONS

Benefit is claimed under 35 U.S.C. 119(a)-(d) to Foreign ApplicationSerial No. 201741042815 filed in India entitled “AGENT-BASED NETWORKSCANNING IN SOFTWARE-DEFINED NETWORKING (SDN) ENVIRONMENTS”, on Nov. 29,2017, by NICIRA, INC., which is herein incorporated in its entirety byreference for all purposes.

BACKGROUND

Unless otherwise indicated herein, the approaches described in thissection are not admitted to be prior art by inclusion in this section.

Virtualization allows the abstraction and pooling of hardware resourcesto support virtual machines in a Software-Defined Networking (SDN)environment, such as a Software-Defined Data Center (SDDC). For example,through server virtualization, virtual workloads such as virtualmachines running different operating systems may be supported by thesame physical machine (e.g., referred to as a “host”). Each virtualmachine is generally provisioned with virtual resources to run anoperating system and applications. The virtual resources may includecentral processing unit (CPU) resources, memory resources, storageresources, network resources, etc.

Through SDN, benefits similar to server virtualization may be derivedfor networking services. For example, logical overlay networks that aredecoupled from the underlying physical network infrastructure may beconfigured. Similar to a physical network, logical switches and logicalrouters may to provide respective layer-2 switching and layer-3 routingservices to virtual machines. In practice, address information (e.g.,hardware address information, network address information, etc.)associated with workloads in an SDN environment may be useful forvarious purposes, such as automated configuration, management, securityassessment, etc. However, it may be challenging to retrieve the addressinformation, especially when the workloads are deployed in differentnetworks.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic diagram illustrating an example Software-DefinedNetworking (SDN) environment in which agent-based network scanning maybe performed;

FIG. 2 is a schematic diagram illustrating an example agent-basednetwork scanning in the SDN environment in FIG. 1 ;

FIG. 3 is a flowchart of an example process for a network scanningcontroller to perform agent-based network scanning in an SDNenvironment;

FIG. 4 is a flowchart of an example detailed process for agent-basednetwork scanning in an SDN environment;

FIG. 5 is a schematic diagram illustrating a detailed exampleagent-based network scanning in an SDN environment according to theexample in FIG. 4 ;

FIG. 6A is a schematic diagram illustrating example address mappinginformation obtained by a network scanning controller in the example inFIG. 5 ;

FIG. 6B is a schematic diagram illustrating example aggregated addressmapping information generated by a network scanning controller in theexample in FIG. 5 ; and

FIG. 7 is a schematic diagram illustrating example agent-based networkscanning in an SDN environment with containers.

DETAILED DESCRIPTION

In the following detailed description, reference is made to theaccompanying drawings, which form a part hereof. In the drawings,similar symbols typically identify similar components, unless contextdictates otherwise. The illustrative embodiments described in thedetailed description, drawings, and claims are not meant to be limiting.Other embodiments may be utilized, and other changes may be made,without departing from the spirit or scope of the subject matterpresented here. It will be readily understood that the aspects of thepresent disclosure, as generally described herein, and illustrated inthe drawings, can be arranged, substituted, combined, and designed in awide variety of different configurations, all of which are explicitlycontemplated herein.

Various challenges relating to address information retrieval will now beexplained in more detail using FIG. 1 , which is a schematic diagramillustrating example software-defined networking (SDN) environment 100in which agent-based network scanning may be performed for a multi-nodeapplication. It should be understood that, depending on the desiredimplementation, virtualized computing environment 100 may includeadditional and/or alternative components than that shown in FIG. 1 .

In the example in FIG. 1 , SDN environment 100 includes multiple hosts,such as host-A 110A, host-B 110B and host-C 110C that areinter-connected via physical network 105. Each host 110A/110B/110Cincludes suitable hardware 112A/112B/112C and virtualization software(e.g., hypervisor-A 114A, hypervisor-B 114B, hypervisor-C 114C) tosupport various virtual machines (VMs) 131-136. For example, host-A 110Asupports VM1 131 and VM2 132; host-B 110B supports VM3 133 and VM4 134;and host-C 110C supports VM5 135 and VM6 136. In practice, SDNenvironment 100 may include any number of hosts (also known as a “hostcomputers”, “host devices”, “physical servers”, “server systems”,“transport nodes,” etc.), where each host may be supporting tens orhundreds of VMs. Hypervisors 114A-C may each implement any suitablevirtualization technology, such as VMware ESX® or ESXi™ (available fromVMware, Inc.), Kernel-based Virtual Machine (KVM), etc.

Although examples of the present disclosure refer to virtual machines,it should be understood that a “virtual machine” running on a host ismerely one example of a “virtualized computing instance” or “virtualworkload.” A virtualized computing instance may represent an addressabledata compute node or isolated user space instance. In practice, anysuitable technology may be used to provide isolated user spaceinstances, not just hardware virtualization. Other virtualized computinginstances may include containers (e.g., running within a VM or on top ofa host operating system without the need for a hypervisor or separateoperating system or implemented as an operating system levelvirtualization), virtual private servers, client computers, etc. Suchcontainer technology is available from, among others, Docker, Inc.Example containers will be discussed further using FIG. 7 . The VMs mayalso be complete computational environments, containing virtualequivalents of the hardware and software components of a physicalcomputing system. The term “hypervisor” may refer generally to asoftware layer or component that supports the execution of multiplevirtualized computing instances, including system-level software inguest VMs that supports namespace containers such as Docker, etc.

Hypervisor 114A/114B/114C maintains a mapping between underlyinghardware 112A/112B/112C and virtual resources allocated to respectiveVMs 131-136. Hardware 112A/112B/112C includes suitable physicalcomponents, such as central processing unit(s) or processor(s)120A/120B/120C; memory 122A/122B/122C; physical network interfacecontrollers (NICs) 124A/124B/124C; and storage disk(s) 128A/128B/128Caccessible via storage controller(s) 126A/126B/126C, etc. Virtualresources are allocated to each VM to support a guest operating system(OS) and applications. Corresponding to hardware 112A/112B/112C, thevirtual resources may include virtual CPU, virtual memory, virtual disk,virtual network interface controller (VNIC), etc. Hardware resources maybe emulated using virtual machine monitors (VMMs) 141-146, which may beconsidered as part of corresponding VMs 131-136, or alternatively,separated from VMs 131-136. In the example in FIG. 1 , VNICs 151-156 areemulated by corresponding VMMs 141-146. Although one-to-onerelationships are shown, one VM may be associated with multiple VNICs(each VNIC having its own network address).

Through software-defined networking (SDN), benefits similar to servervirtualization may be derived for networking services. For example,logical overlay networks may be provided that are decoupled from theunderlying physical network infrastructure, and therefore may beprovisioned, changed, stored, deleted and restored programmaticallywithout having to reconfigure the underlying physical hardware.Hypervisor 114A/114B/114C further implements virtual switch115A/115B/115C and logical distributed router (DR) instance117A/117B/117C to handle egress packets from, and ingress packets to,corresponding VMs 131-136 located on logical overlay network(s). Inpractice, logical forwarding elements such as logical switches andlogical distributed routers may be implemented in a distributed mannerand can span multiple hosts to connect VMs 131-136. For example, logicalswitches that provide logical layer-2 connectivity may be implementedcollectively by virtual switches 115A-C and represented internally usingforwarding tables 116A-C at respective virtual switches 115A-C. The term“packet” may refer generally to a group of bits that can be transportedtogether from a source to a destination, such as message, segment,datagram, etc.

Further, logical distributed routers that provide logical layer-3connectivity may be implemented collectively by DR instances 117A-C andrepresented internally using routing tables 118A-C at respective DRinstances 117A-C. A logical router may be a distributed router (DR),service router (SR), etc. A DR represents a distributed routingcomponent that is deployed to provide routing services for virtualizedcomputing instances (e.g., VMs 131-136) to which the DR is connected. ADR may be implemented in a distributed manner in that it may spanmultiple hosts that support those virtualized computing instances. An SRrepresents a centralized routing component that is deployed to providecentralized stateful services, such as firewall protection, loadbalancing, network address translation (NAT), etc. As used herein, theterm “layer-2” may refer generally to a hardware layer (e.g., MediaAccess Control (MAC) layer); and “layer-3” to a network layer (e.g.,Internet Protocol (IP) layer) in the Open System Interconnection (OSI)model, although the concepts described herein may be used with othernetworking models.

Virtual switch 115A/115B/115C also maintains forwarding information toforward packets to and from corresponding VMs 131-136. Packets arereceived from, or sent to, each VM via an associated logical port. Forexample, logical ports 161-166 are associated with respective VMs131-136. As used herein, the term “logical port” may refer generally toa port on a logical switch to which a virtualized computing instance isconnected. A “logical switch” may refer generally to an SDN constructthat is collectively implemented by virtual switches 115A-C in theexample in FIG. 1 , whereas a “virtual switch” may refer generally to asoftware switch or software implementation of a physical switch. Inpractice, there is usually a one-to-one mapping between a logical porton a logical switch and a virtual port on virtual switch 115A/115B/115C.However, the mapping may change in some scenarios, such as when thelogical port is mapped to a different virtual port on a differentvirtual switch after migration of the corresponding virtualizedcomputing instance (e.g., when the source and destination hosts do nothave a distributed virtual switch spanning them).

In SDN environment 100, separate but integrated planes may beimplemented, such as data plane, control plane (central control planeand local control plane) and management plane. For example, a data planemay be formed using hypervisors 114A-C supported by hosts 110A-C. SDNmanager 180 and SDN controller 170 are network management entities thatoperate on a central control plane and a management plane, respectively.Network management entity 170/180 may be implemented using physicalmachine(s), virtual machine(s), or both. One example of an SDNcontroller is the NSX controller component of VMware NSX® (availablefrom VMware, Inc.) that may be a member of a controller cluster (notshown) and configurable using SDN manager 180. One example of an SDNmanager is the NSX manager component of VMware NSX® (available fromVMware, Inc.) that provides an interface for end users to perform anysuitable configuration in SDN environment 100.

SDN manager 180 and SDN controller 170 facilitate implementation ofsoftware-defined (e.g., logical overlay) networks in SDN environment100. For example, SDN controller 170 is responsible for collecting anddisseminating control information relating to logical overlay networksand overlay transport tunnels, such as logical network topology,membership information of logical overlay networks, mobility of themembers, firewall rules and policies, etc. To send and receive thecontrol information, each host 110A/110B/110C may implement localcontrol plane (LCP) agent 119A/119B/119C to interact with centralcontrol plane module 172 on SDN controller 170. For example,control-plane channel 101/102/103 may be established between SDNcontroller 170 and host 110A/110B/110C using Transmission ControlProtocol (TCP) over Secure Sockets Layer (SSL), etc.

In the example in FIG. 1 , VMs 131-136 supported by hosts 110A-C may bedeployed in different networks 191-193. In particular, VM1 131 and VM3133 are located in first network-1 191 (e.g., 10.10.0.0/22), VM2 132 andVM5 135 in second network-2 192 (e.g., 20.20.0.0/22), and VM4 134 andVM6 136 in third network-3 193 (e.g., 30.30.0.0/22). In practice,networks 191-193 may be logical overlay networks that are formed usingany suitable protocol, such as Virtual eXtensible Local Area Network(VXLAN), Stateless Transport Tunneling (STT), Generic NetworkVirtualization Encapsulation (GENEVE), etc. For example, VXLAN is alayer-2 overlay scheme on a layer-3 network that uses tunnelencapsulation to extend layer-2 segments across multiple hosts. Tofacilitate communication among members of a logical overlay network,hypervisor 114A/114B/114C implements a virtual tunnel endpoint (VTEP) toencapsulate egress packets from a source with an outer (tunnel) headeridentifying the logical overlay network. The VTEP performs decapsulationbefore virtual switch 115A/115B/115C forwards (decapsulated) packets toa destination.

In practice, it may be desirable to learn the address information ofvarious components in SDN environment 100 for various purposes, such asmanagement, configuration, etc. For example, a network administrator maywish to set up automated configuration or creation of a cluster of SDNmanagers 180 on the management plane, creation of a cluster of SDNcontrollers 170 on the central control plane, creation of a cluster ofedge nodes, creation of transport nodes, logical switches for layer-2 orlayer-3 connectivity, etc. In order to perform the automatedconfiguration, the address information of components such as SDN manager180, SDN controller 170, hypervisors 114A-C and VMs 131-136 arerequired.

Conventionally, network scanning may be performed to identify activenodes on a network. In practice, any suitable network scanning tool maybe used, such as network port scanning using Network Mapper (NMAP), etc.In particular, NMAP is an open source network scanning utility that maybe used for network exploration and security auditing. Network portscanning generally involves sending data packets via a particularnetwork to specified port number(s) of a network node to identify theavailable network services on that network node. However, one mainlimitation of NMAP is that it is designed to assist users with scanningtheir own networks. For example, due to security reasons, a member ofone network will not be able to retrieve the hardware addressinformation of members of a remote, different network.

To circumvent the above problem associated with NMAP, one conventionalapproach may be to rely on management features supported by virtualinfrastructure management platforms. For example, VMware vCenter Server™(available from VMware, Inc.) is platform that facilitates centralizedmanagement of virtualized hosts and VMs in SDN environment 100. However,this approach may only be feasible for some hosts (e.g., ESX hosts)managed using the platform, and not for other hosts that use a differenthardware virtualization technology (e.g., KVM hosts). In SDN environment100 that may have tens or hundreds of hypervisors implementing varioushardware virtualization technologies, it is challenging to obtain thehardware address information associated with workloads deployed indifferent networks.

Agent-Based Network Scanning

According to examples of the present disclosure, network scanning may beperformed in SDN environment 100 using an agent-based approach. Forexample, FIG. 2 is a schematic diagram illustrating example agent-basednetwork scanning 200 in example SDN environment 100 in FIG. 1 . Comparedto the physical implementation view in FIG. 1 , FIG. 2 also represents amanagement plane view of how various components (e.g., VMs 131-136) arerepresented internally. Depending on the desired implementation, SDNenvironment 100 may include additional and/or alternative component(s)than that shown in FIG. 1 and FIG. 2 .

To facilitate network scanning, network scanning controller 210 andmultiple agents 221-223 are deployed in SDN environment 100. FIG. 2 willbe explained using FIG. 3 , which is a flowchart of example process 300to perform agent-based network scanning in SDN environment 100. Exampleprocess 300 may include one or more operations, functions, or actionsillustrated by one or more blocks, such as 310 to 340. The variousblocks may be combined into fewer blocks, divided into additionalblocks, and/or eliminated depending on the desired implementation. Inthe following, network-1 191 will be used as an example “first network,”network-2 192 as an example “second network,” agents 221-222 and asexample “first agent” and “second agent,” VM1 131 and VM3 133 as example“first workloads,” VM2 132 and VM5 135 as example “second workloads,”etc.

At 310 in FIG. 3 , network scanning controller 210 receives a request toperform network scanning in multiple networks that include first network191 and second network 192. At 320, network scanning controller 210performs a first network scan using first agent 221 to obtain firstaddress mapping information associated with VM1 131 and VM3 133 (see 231in FIG. 2 ). At 330, network scanning controller 210 performs a secondnetwork scan using second agent 222 to obtain second address mappinginformation associated with VM2 132 and VM5 135 (see 232 in FIG. 2 ). At340, network scanning controller 210 generates aggregated addressmapping information (see 240 in FIG. 2 ) that includes the first addressmapping information and the second address mapping information.

As used herein, the term “network scanning controller” (e.g., NMAPcontroller) may refer generally to any suitable component that iscapable of performing network scans using agents 221-223 deployed inrespective networks 191-193 according to examples of the presentdisclosure. In practice, network scanning controller 210 may be avirtual entity, physical entity, etc. For example, network scanningcontroller 210 may be implemented using a virtualized computing instancesupported by host 110A/110B/110D or any other host(s), avirtual/physical component of SDN controller 170, or a virtual/physicalcomponent of SDN manager 180, etc.

Similarly, agents 221-223 may each be a virtual entity, physical entity,etc. For example in FIG. 1 and FIG. 2 , agents 221-223 may bevirtualized computing instances supported by supported by host110A/110B/110D or any other host(s). First agent 221, VM1 131 and VM3are located in network-1 191, while second agent 222, VM2 132 and VM5135 are located in network-2 192. Additionally in FIG. 2 , third agent223, VM4 134 and VM6 136 are located in network-2 192. In this case,network scanning controller 210 may perform a third network scan usingthird agent 223 to obtain third address mapping information (see 233 inFIG. 2 ) associated with VM4 134 and VM6 136 (“third workloads”).

According to examples of the present disclosure, agents 221-223 mayobtain address mapping information 231-233 in their respective networks191-193. Network scanning controller 210 may generate aggregated addressmapping information 240 based on address mapping information 231-233.Network scanning controller 210 may be deployed in any suitable network,such as network-0 (e.g., 100.168.10.0/22; see 212) in FIG. 2 . As willbe further described using FIG. 4 to FIG. 6B, “address mappinginformation” 231-233 may specify the mapping between one type of addressinformation with another type of address information, such as hardwareaddress information (e.g., MAC address) with network address information(e.g., IP address) associated with VMs 131-136.

Throughout the present disclosure, it should be understood that the term“workloads” (e.g., “first workloads” at 320 and “second workloads” at330 in FIG. 3 ) may refer generally to virtual workloads (e.g., VMs131-136) and/or physical workloads (also known as physical server,physical machine, host, etc.). For example in FIG. 2 , a physicalworkload (not shown for simplicity) may be deployed in the same network191 as first agent 221. In this case, network scanning controller 210may perform the first network scan using first agent 221 to obtainaddress mapping information associated with the physical workload.Further, a “virtual workload” may be any suitable virtualized computinginstance, such as a container running inside a VM, etc. Some exampleswill be discussed further using FIG. 7 .

Detailed Example

FIG. 4 is a flowchart of example detailed process 400 for agent-basednetwork scanning in SDN environment 100. Example process 400 may includeone or more operations, functions, or actions illustrated at 410 to 475.The various operations, functions or actions may be combined into fewerblocks, divided into additional blocks, and/or eliminated depending onthe desired implementation. FIG. 5 is a schematic diagram illustratingexample agent-based network scanning 500 in SDN environment 100according to the example in FIG. 4 .

At 410 and 415 in FIG. 4 , SDN manager 180 and/or SDN controller 170configures network scanning controller 210 and N agents in SDNenvironment 100. In the example in FIG. 5 , consider a case of N=3 wherenetwork scanning controller 210 is deployed in network-0=100.168.10.0/22(see 212), first agent 221 in network-1=10.10.0.0/22 (see 191), secondagent 222 in network-2=20.10.0.0/22 (see 192) and third agent 223 innetwork-3=30.10.0.0/22 (see 193). It should be noted that SDN manager180 and SDN controller 170 may be located in a different network, suchas network-4=200.10.10.0/22 (see 212).

The configuration at blocks 410-415 may be initiated by a user (e.g.,network administrator) via any suitable interface provided by SDNmanager 180, such as application programming interface (API), graphicaluser interface (GUI), command line interface (CLI), etc. Based on theuser's input configuration information, SDN manager 180 may instruct SDNcontroller 160 to deploy and/or configure network scanning controller210 and agents 221-223. Alternatively or additionally, blocks 410-415may be performed automatically (e.g., using a script, etc.).

In practice, network scanning controller 210 and agents 221-223 may beconfigured as virtualized computing instances (e.g., virtual machine,container, etc.), physical entities, a combination thereof, etc. Usingthe example in FIG. 2 , network scanning controller 210 may be a VM(e.g., lightweight Linux machine) supported by host 110A/110B/110C orany other host. Similarly, agents 221-223 may be VMs (e.g., lightweightLinux machines) supported by host-A 110A, host-B 110B and host-C 110Crespectively. In another example, multiple agents 221-223 may bedeployed on one host (e.g., host-D, not shown for simplicity). In theexample in FIG. 5 , agents 221-223 are configured to have networkscanning capability, such as by executing respective NMAP utilities531-533, etc. Each agent may be configured with a scanner script thatwill scan all workloads located in the same network as the agent.

Any suitable tool may be used to configure network scanning controller210 and agents 221-223. For example, Ansible (a trademark of Red Hat,Inc.) is a software that automates software provisioning, configurationmanagement and deployment. A language called Ansible Playbook may beused to manage configurations of, and deployments to, remote machines bysending commands in a scripted manner. For example, to deploy a VM onhost-A 110A (e.g., an ESXi host using .ova file extension), an “ovftool”utility in Ansible Playbook may be used. To deploy a VM on host-B 110B(e.g., a KVM host using .qcow2 or .img file extension), the “guestfish”and “virsh” utilities may be used.

At 420 in FIG. 4 , SDN controller 170 requests network scanningcontroller 210 to perform network scanning in SDN environment 100. Forexample in FIG. 5 , network scanning controller 210 receives request 510to perform network scanning in network-i, where i=1, . . . , N and N=3.In practice, request 510 may identify all networks in which networkscanning is required or a subset of the networks (e.g., network-1 191and network-3 193), such as using an IP subnet address range, multipleIP subnet addresses, etc.

At 425 and 430 in FIG. 4 , in response to receiving request 510 from SDNcontroller 170, network scanning controller 210 identifies network-i inwhich network scanning is required. At 435 and 455 in FIG. 4 , networkscanning controller 210 performs a network scan in network-i usingagent-i to obtain address mapping information associated with VMslocated in each network-i.

In the example in FIG. 5 , block 435 may involve network scanningcontroller 210 generating and sending first request 521 to first agent221 in network-1 191, second request 522 to second agent 222 innetwork-2 192 and third request 523 to third agent 223 in network-3 193.In practice, requests 521-523 may each represent a message, signal orinstruction sent by network scanning controller 210, or an invocation ofAPI(s) supported by agents 221-223, etc.

At 440 and 445 in FIG. 4 , in response to receiving request 521/522/523,agent 221/222/223 determines address mapping information associated withworkloads in network 191/192/193. At 450 in FIG. 4 , agent 221/222/223sends address mapping information 541/542/543 to network scanningcontroller 210.

Address mapping information 541/542/543 may be determined at block 445using any suitable approach, such as by executing NMAP utility531/532/533. Depending on the desired implementation, any suitable NMAPparameters may be used to specify scan techniques (e.g., ‘-sN’), portspecification (e.g., ‘-p<port ranges>’), scan order (e.g., ‘-F’ for fastmode), service/version detection (e.g., ‘-sV’), OS detection (e.g.,‘-O’), timing and performance (e.g., ‘-T<0-5>’), firewall evasion andspoofing (e.g., ‘-S<IP_Address>’ to spoof source IP address), outputoptions (e.g., ‘-v’ to increase verbosity level), etc. The NMAPparameters may be configured by network scanning controller 210 andspecified in requests 521-523. In practice, NMAP utility 531/532/533 mayrely on characteristics of the TCP/IP stack implemented by VMs 131-136and connection over Secure Shell (SSH) to perform network scanning. Anyadditional and/or alternative technique may be used to perform networkscanning.

FIG. 6A is a schematic diagram illustrating example address mappinginformation obtained by network scanning controller 210 from agents221-223 in the example in FIG. 5 . At 610 in FIG. 6A, a first scanreport generated by first agent 221 in network-1=10.10.0.0/22 using NMAPutility 531. First scan report 610 identifies (MAC1, IP1=10.10.0.181)associated with VM1 131 and (MAC3, IP3=10.10.0.182) associated with VM3133. It should be noted that the phrase “Host is up” in first scanreport 610 refers to VM1 131 or VM3 133, instead of the physical hostsupporting the virtual machine. Although “MAC1” and “MAC3” are shown infirst scan report 610 in FIG. 6A for simplicity, it should be understoodthat a MAC address is generally a 48-bit address.

At 620 in FIG. 6A, a second scan report is generated by second agent 222in network-2=20.20.0.0/22 using NMAP utility 532. Second scan report 620identifies (MAC2, IP2=20.20.0.212) associated with VM2 132 and (MAC5,IP5=20.20.0.215) associated with VM5 135. Similarly, third scan report630 is generated by third agent 223 in network-3=30.30.0.0/22 using NMAPutility 533. The third scan report identifies (MAC4, IP4=30.30.0.4)associated with VM4 134 and (MAC6, IP6=30.30.0.6) associated with VM6136. Depending on the NMAP parameters used, scan reports 610-630 mayinclude any other information, such as machine vendor information (e.g.,“Vendor-1,” “Vendor-2” and “Vendor-3” in FIG. 6A), completion time, etc.

At 455 and 460 in FIG. 4 , network scanning controller 210 generatesaggregated address mapping information 550 based on address mappinginformation 541-543 from respective agents 221-223. At 465 in FIG. 4 ,network scanning controller 210 responds to request 510 from SDNcontroller 170 by generating and sending response 560 specifyingaggregated address mapping information 550. Address mapping information541-543 and aggregated address mapping information 550 may be generatedor stored in any suitable format, such as JavaScript Object Notation(JSON), eXtensible Markup Language (XML), etc.

In the example in FIG. 5 , network scanning controller 210 learns (MAC1,IP1) and (MAC3, IP3) in first address mapping information 541 from firstagent 221. Network scanning controller 210 also learns (MAC2, IP2) and(MAC5, IP5) in second address mapping information 542 from second agent222, as well as (MAC4, IP4) and (MAC6, IP6) in third address mappinginformation 543 from third agent 223. Aggregated address mappinginformation 550 includes address mapping information 541-543 fromdifferent networks 191-193.

An example is shown in FIG. 6B, which is a schematic diagramillustrating example aggregated address mapping information 550generated by network scanning controller 210 in the example in FIG. 5 .In particular, aggregated address mapping information 550 includes(MAC1, IP1) associated with VM1 131 (see 551) and (MAC3, IP3) associatedwith VM3 133 (see 552) located in network-1=10.10.0.0/22, (MAC2, IP2)associated with VM2 132 (see 553) and (MAC5, IP5) associated with VM5135 (see 554) located in network-2=20.20.0.0/22; and (MAC4, IP4)associated with VM4 134 (see 555) and (MACE, IP6) associated with VM6136 (see 556) located in network-3=30.30.0.0/22.

As such, according to examples of the present disclosure, an agent-basedapproach may be implemented to help eliminate the limitation of NMAPutility of not gathering MAC address information of available hosts(e.g., VMs 131-136) in different remote networks 191-193 due to securityreasons. Thus, retrieving IP address information of workload VMs runningon remote KVM hosts or any host is possible even in the absence ofvCenter API or any software-defined data center (SDDC) managementplatform.

To facilitate secure transfer of address mapping information 541-543 andaggregated address mapping information 550, an authentication mechanismmay be implemented to establish secure channels between network scanningcontroller 210 and respective agents 221-223, as well as between networkscanning controller 210 and SDN controller 170. For example in FIG. 5 ,a certificate-based authentication mechanism may be implemented oversecure channels 571-573 to address security vulnerability and reduce thelikelihood of a malicious attack (e.g., man-in-the-middle attack) by athird party. In particular, network scanning controller 210 may receivefirst address mapping information 541 via a first secure channel (see571) established with first agent 221, second address mappinginformation 542 via a second secure channel (see 572) established withsecond agent 222, and third address mapping information 543 via a thirdsecure channel (see 573) established with third agent 223.

In practice, aggregated address mapping information 550 may be used forany suitable purposes, such as automated configuration, management, etc.In one example, automation tools or scripts may be configured toretrieve IP address information of any remote VMs 131-136 based onaggregated address mapping information 550. For example, IP addressinformation is generally susceptible to changes, the MAC addressinformation may be used as a “search key” or “query key” to retrieve theassociated IP address information. In this case, according to blocks 470and 475 in FIG. 4 , in response to receiving a query identifyinghardware address information of a particular virtual machine, networkaddress information associated with the particular VM is determinedbased on aggregated address mapping information 550.

Referring to the example in FIG. 6B, at 640, in response to receiving afirst query for MAC5, network scanning controller 210 or SDN controller170 may generate and send a response identifying IP5 associated withMAC5. At 650, in response to receiving a second query for MAC3, aresponse identifying IP3 associated with MAC3 may be generated and sent.At 660, in response to receiving a third query for MAC4, a responseidentifying IP4 associated with MAC4 may be generated and sent. If theIP address information of VM4 134 is updated from IP4=30.30.0.4 toIP7=30.30.0.400 at another point in time, a subsequent query for MAC4will return a response identifying the latest IP7. Although MAC addressinformation has been used as an example search key, it should beappreciated that any other unique identifier(s) may be used. Inpractice, blocks 470-475 may be performed by SDN controller 170 and/orany other suitable entity in SDN environment 100.

According to examples of the present disclosure, aggregated addressmapping information 550 may be used to simplify network automationworkflows, such as layer-2 and/or layer-3 connectivity between VMs131-136 in different networks 191-193. Further, various validationand/or verification operations may be performed based on aggregatedaddress mapping information 550, such as verification of mesh pingoperations among VMs 131-136 connected over logical overlay networks,validation and verification of networking capabilities (e.g., logicalswitching, logical routing, Dynamic Host Configuration Protocol (DHCP),routing, virtual private network (VPN), firewall, etc.). Similarly, IPaddress information required for these operations may be retrieved basedon MAC address information according to the example in FIG. 4 . Inpractice, these operations may be performed using SDN manager 180 (e.g.,initiated by a user through GUI/API) or SDN controller 170, and/or anyother suitable entity in SDN environment 100.

Container Implementation

Although explained using VMs 131-136, it should be understood that“first workloads” and “second workloads” in the example in FIG. 2 mayinclude other virtualized computing instances (such as containers)and/or physical workloads. In this case, network scanning controller 210may obtain address mapping information associated with physicalworkload(s), container(s), VM(s), or a combination thereof. Someexamples will be described using FIG. 7 , which is a schematic diagramillustrating example agent-based network scanning 700 in an SDNenvironment with physical workloads and containers.

In the example in FIG. 7 , container technologies may be used to runvarious containers 711-715 inside respective VMs 721-724. As usedherein, the term “container” (also known as “container instance”) isused generally to describe an application that is encapsulated with allits dependencies (e.g., binaries, libraries, etc.). For example,containers C1 711 and C2 712 may be executed as isolated processesinside VM7 721. Similarly, C3 713 and C4 714 may be executed as isolatedprocesses inside respective VM8 722 and VM9 723, and C5 715 inside VM10724. Containers 711-715 are “OS-less”, meaning that they do not includeany OS that could weigh 10s of Gigabytes (GB). This makes containers711-715 more lightweight, portable, efficient and suitable for deliveryinto an isolated OS environment. Running containers inside a VM (knownas “containers-on-virtual-machine” approach) not only leverages thebenefits of container technologies but also that of virtualizationtechnologies. Further in FIG. 7 , physical workloads such as host-D 725and host-E 726 are located in network-1 191 and network-3 193,respectively.

Similar to the examples in FIG. 1 to FIG. 6 , network scanningcontroller 210 may perform network scanning in network-1=10.10.0.0/22using first agent 221 to obtain first address mapping information 731that includes (MAC-C1, IP-C1) associated with C1 711, (MAC-C2, IP-C2)associated with C2 712 and (MAC-D, IP-D) associated with first physicalworkload 725. Also, network scanning controller 210 may perform networkscanning in network-2=20.20.0.0/22 using second agent 222 to obtainsecond address mapping information 731 that includes (MAC-C3, IP-C3)associated with C3 713 and (MAC-C4, IP-C4) associated with C4 714.Further, network scanning controller 210 may perform network scanning innetwork-3=30.30.0.0/22 using third agent 223 to obtain third addressmapping information 731 that includes (MAC-05, IP-05) associated with C5715 and (MAC-E, IP-E) associated with second physical workload 726.Similar to the example in FIG. 6B, network scanning controller 210 maygenerate aggregated address mapping information 740 based on addressmapping information 731-733.

Computer System

The above examples can be implemented by hardware (including hardwarelogic circuitry), software or firmware or a combination thereof. Theabove examples may be implemented by any suitable computing device,computer system, etc. The computer system may include processor(s),memory unit(s) and physical NIC(s) that may communicate with each othervia a communication bus, etc. The computer system may include anon-transitory computer-readable medium having stored thereoninstructions or program code that, when executed by the processor, causethe processor to perform processes described herein with reference toFIG. 1 to FIG. 7 . For example, computer system(s) capable of supportingnetwork scanning controller 210 and/or agents 221-223 may be deployed inSDN environment 100.

The techniques introduced above can be implemented in special-purposehardwired circuitry, in software and/or firmware in conjunction withprogrammable circuitry, or in a combination thereof. Special-purposehardwired circuitry may be in the form of, for example, one or moreapplication-specific integrated circuits (ASICs), programmable logicdevices (PLDs), field-programmable gate arrays (FPGAs), and others. Theterm ‘processor’ is to be interpreted broadly to include a processingunit, ASIC, logic unit, or programmable gate array etc.

The foregoing detailed description has set forth various embodiments ofthe devices and/or processes via the use of block diagrams, flowcharts,and/or examples. Insofar as such block diagrams, flowcharts, and/orexamples contain one or more functions and/or operations, it will beunderstood by those within the art that each function and/or operationwithin such block diagrams, flowcharts, or examples can be implemented,individually and/or collectively, by a wide range of hardware, software,firmware, or any combination thereof.

Those skilled in the art will recognize that some aspects of theembodiments disclosed herein, in whole or in part, can be equivalentlyimplemented in integrated circuits, as one or more computer programsrunning on one or more computers (e.g., as one or more programs runningon one or more computing systems), as one or more programs running onone or more processors (e.g., as one or more programs running on one ormore microprocessors), as firmware, or as virtually any combinationthereof, and that designing the circuitry and/or writing the code forthe software and or firmware would be well within the skill of one ofskill in the art in light of this disclosure.

Software and/or to implement the techniques introduced here may bestored on a non-transitory computer-readable storage medium and may beexecuted by one or more general-purpose or special-purpose programmablemicroprocessors. A “computer-readable storage medium”, as the term isused herein, includes any mechanism that provides (i.e., stores and/ortransmits) information in a form accessible by a machine (e.g., acomputer, network device, personal digital assistant (PDA), mobiledevice, manufacturing tool, any device with a set of one or moreprocessors, etc.). A computer-readable storage medium may includerecordable/non recordable media (e.g., read-only memory (ROM), randomaccess memory (RAM), magnetic disk or optical storage media, flashmemory devices, etc.).

The drawings are only illustrations of an example, wherein the units orprocedure shown in the drawings are not necessarily essential forimplementing the present disclosure. Those skilled in the art willunderstand that the units in the device in the examples can be arrangedin the device in the examples as described, or can be alternativelylocated in one or more devices different from that in the examples. Theunits in the examples described can be combined into one module orfurther divided into a plurality of sub-units.

What is claimed is:
 1. A method for a network scanning controller toperform agent-based network scanning in a software-defined networking(SDN) environment that includes the network scanning controller, a firstagent and a second agent, wherein the method comprises: identifyingmultiple networks, by and at the network scanning controller, for whichnetwork scanning is required, wherein the multiple networks include afirst network and a second network, wherein the first network is a firstlogical overlay network, the second network is a second logical overlaynetwork, and the first network and the second network are different;generating and sending, by and at the network scanning controller, afirst request to the first agent to cause the first agent to execute afirst network mapper (NMAP) utility to obtain first address mappinginformation associated with multiple first workloads, wherein the firstagent, the multiple first workloads, and the first NMAP utility arelocated in the first network; generating and sending, by and at thenetwork scanning controller, a second request to the second agent tocause the second agent to execute a second NMAP utility to obtain secondaddress mapping information associated with multiple second workloads,wherein the second agent, the multiple second workloads, and the secondNMAP utility are located in the second network; and aggregating, by andat the network scanning controller, the first address mappinginformation associated with the first network and the second addressmapping information associated with the second network to generateaggregated address mapping information.
 2. The method of claim 1,wherein the method further comprises: receiving, from the first agent,the first address mapping information specifying hardware addressinformation and network address information associated with each of themultiple first workloads; and receiving, from the second agent, thesecond address mapping information specifying hardware addressinformation and network address information associated with each of themultiple second workloads.
 3. The method of claim 1, wherein the methodfurther comprises: prior to executing the first NMAP utility and theexecuting the second NMAP utility, receiving a request from a networkmanagement entity to perform network scanning in the multiple networks;and generating and sending a response to the network management entity,wherein the response includes the aggregated address mappinginformation.
 4. The method of claim 1, wherein the method furthercomprises: receiving a query identifying hardware address information ofa particular workload; and based on the aggregated address mappinginformation, determining network address information associated with theparticular workload, wherein the particular workload is one of themultiple first workloads or the multiple second workloads.
 5. The methodof claim 1, wherein the first logical overlay network connects the firstagent with the multiple first workloads that include first virtualizedcomputing instances; and the second logical overlay network connects thesecond agent with the second workloads that include multiple secondvirtualized computing instances.
 6. The method of claim 1, whereinperforming the first network scan and the second network scan comprises:receiving the first address mapping information via a first securechannel established between the network scanning controller and thefirst agent; and receiving the second address mapping information via asecond secure channel established between the network scanningcontroller and the second agent.
 7. A non-transitory computer-readablestorage medium that includes a set of instructions which, in response toexecution by a processor of a computer system, cause the processor toperform a method of agent-based network scanning in a software-definednetworking (SDN) environment that includes the computer system, a firstagent and a second agent, wherein the method comprises: identifyingmultiple networks, by and at the network scanning controller, for whichnetwork scanning is required, wherein the multiple networks include afirst network and a second network, wherein the first network is a firstlogical overlay network, the second network is a second logical overlaynetwork, and the first network and the second network are different;generating and sending, by and at the network scanning controller, afirst request to the first agent to cause the first agent to execute afirst network mapper (NMAP) utility to obtain first address mappinginformation associated with multiple first workloads, wherein the firstagent, the multiple first workloads, and the first NMAP utility arelocated in the first network; generating and sending, by and at thenetwork scanning controller, a second request to the second agent tocause the second agent to execute a second NMAP utility to obtain secondaddress mapping information associated with multiple second workloads,wherein the second agent, the multiple second workloads, and the secondNMAP utility are located in the second network; and aggregating, by andat the network scanning controller, the first address mappinginformation associated with the first network and the second addressmapping information associated with the second network to generateaggregated address mapping information.
 8. The non-transitorycomputer-readable storage medium of claim 7, wherein the method furthercomprises: receiving, from the first agent, the first address mappinginformation specifying hardware address information and network addressinformation associated with each of the multiple first workloads; andreceiving, from the second agent, the second address mapping informationspecifying hardware address information and network address informationassociated with each of the multiple second workloads.
 9. Thenon-transitory computer-readable storage medium of claim 7, wherein themethod further comprises: prior to executing the first NMAP utility andthe executing the second NMAP utility, receiving a request from anetwork management entity to perform network scanning in the multiplenetworks; and generating and sending a response to the networkmanagement entity, wherein the response includes the aggregated addressmapping information.
 10. The non-transitory computer-readable storagemedium of claim 7, wherein the method further comprises: receiving aquery identifying hardware address information of a particular workload;and based on the aggregated address mapping information, determiningnetwork address information associated with the particular workload,wherein the particular workload is one of the multiple first workloadsor the multiple second workloads.
 11. The non-transitorycomputer-readable storage medium of claim 7, wherein the first logicaloverlay network that connects the first agent with the multiple firstworkloads that include first virtualized computing instances; and thesecond logical overlay network connects the second agent with themultiple second workloads that include second virtualized computinginstances.
 12. The non-transitory computer-readable storage medium ofclaim 7, wherein performing the first network scan and the secondnetwork scan comprises: receiving the first address mapping informationvia a first secure channel established with the first agent; andreceiving the second address mapping information via a second securechannel established with the second agent.
 13. A computer systemconfigured to perform agent-based network scanning in a software-definednetworking (SDN) environment that includes the computer system, a firstagent and a second agent, wherein the computer system comprises: aprocessor; and a non-transitory computer-readable medium having storedthereon instructions that, when executed by the processor, cause theprocessor to: identify multiple networks for which network scanning isrequired, wherein the multiple networks include a first network and asecond network, wherein the first network is a first logical overlaynetwork, the second network is a second logical overlay network, and thefirst network and the second network are different; generate and send afirst request to the first agent to cause the first agent to execute afirst network mapper (NMAP) utility to obtain first address mappinginformation associated with multiple first workloads, wherein the firstagent and the multiple first workloads, and the first NMAP utility arelocated in the first network; generate and send a second request to thesecond agent to cause the second agent to execute a second networkmapper (NMAP) utility to obtain second address mapping informationassociated with multiple second workloads, wherein the second agent andthe multiple second workloads, and the second NMAP utility are locatedin the second network; and aggregate, by and at the computer system, thefirst address mapping information associated with the first network andthe second address mapping information associated with the secondnetwork to generate aggregated address mapping information.
 14. Thecomputer system of claim 13, wherein the instructions further cause theprocessor to: receive, from the first agent, the first address mappinginformation specifying hardware address information and network addressinformation associated with each of the multiple first workloads; andreceive, from the second agent, the second address mapping informationspecifying hardware address information and network address informationassociated with each of the multiple second workloads.
 15. The computersystem of claim 13, wherein the instructions further cause the processorto: prior to executing the first NMAP utility and executing the secondNMAP utility, receive a request from a network management entity toperform network scanning in the multiple networks; and generate and senda response to the network management entity, wherein the responseincludes the aggregated address mapping information.
 16. The computersystem of claim 13, wherein the instructions further cause the processorto: receive a query identifying hardware address information of aparticular workload; and based on the aggregated address mappinginformation, determine network address information associated with theparticular workload, wherein the particular workload is one of themultiple first workloads or the multiple second workloads.
 17. Thecomputer system of claim 13, wherein the first logical overlay networkconnects the first agent with the multiple first workloads that includefirst virtualized computing instances; and the second logical overlaynetwork connects the second agent with the multiple second workloadsthat include second virtualized computing instances.
 18. The computersystem of claim 13, wherein instructions for performing the firstnetwork scan and the second network scan cause the processor to: receivethe first address mapping information via a first secure channelestablished with the first agent; and receive the second address mappinginformation via a second secure channel established with the secondagent.